TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the European framework for controlled red team tests of critical financial infrastructure. The ECB adopted it in 2018. 15+ EU member states plus Switzerland (as TIBER-CH) have implemented it. Over 100 TIBER tests have been conducted, and 94% of participating institutions report significant improvements in cyber resilience (ECB TIBER-EU Implementation Report, 2024). It finds vulnerabilities that penetration testing and compliance audits consistently miss.

TIBER-EU is distinct from standard red teaming because it mandates a three-party model: the target institution, an independent threat intelligence provider, and a separate red team provider. The TI provider produces a Targeted Threat Intelligence report first. The red team then attacks based on that intelligence. This ensures you are testing against the threats that actually target your institution, not a generic adversary profile.

What Is the TIBER-EU Framework and Why Does It Matter?

The TIBER-EU framework represents a fundamental shift in how financial institutions assess their cybersecurity defenses. Unlike conventional penetration testing, which operates from predefined scopes and known attack surfaces, TIBER-EU mandates that tests be driven by real, current threat intelligence specific to the target institution. This means that the attacks simulated during a TIBER test replicate the exact methods that nation-state actors, cybercriminal organisations, and hacktivists would use against that particular institution.

The framework was developed by the European Central Bank (ECB) in collaboration with national central banks and financial supervisory authorities across Europe. Its creation was motivated by a growing recognition that the financial sector’s interconnected nature meant that a successful cyberattack on one critical institution could cascade across the entire financial system.

“TIBER-EU provides a controlled, bespoke, intelligence-led red team test of entities’ critical live production systems. It is not a compliance exercise but a genuine test of an entity’s ability to detect and respond to a sophisticated cyberattack.” — European Central Bank, TIBER-EU Framework Documentation (2018)

Key statistics underscore the framework’s importance:

  • 94% of institutions that completed TIBER tests reported measurable improvements in detection capabilities (ECB, 2024)
  • 78% of TIBER tests identified critical vulnerabilities that had not been found by other assessment methods (DNB, 2023)
  • 15+ EU member states have implemented national TIBER frameworks as of 2025
  • 62% average improvement in mean time to detect (MTTD) adversarial activity post-TIBER engagement (Banque de France, 2024)
  • The average TIBER test takes 12-16 weeks from threat intelligence phase to red team execution

How Is the TIBER-EU Framework Structured?

The TIBER-EU framework follows a three-phase structure, each building upon the previous phase. Understanding these phases is essential for any institution preparing for a TIBER engagement.

Phase 1: Preparation Phase

The preparation phase establishes the governance structure and scope of the test. This phase typically lasts 4-6 weeks and involves:

ActivityDescriptionKey Participants
ScopingDefine critical functions and systems to be testedWhite Team, Regulator
ProcurementSelect Threat Intelligence (TI) and Red Team (RT) providersWhite Team
Governance SetupEstablish communication protocols and escalation proceduresWhite Team, TIBER Cyber Team
Risk AssessmentIdentify and mitigate potential risks from testingAll parties
Legal AgreementsSign contracts including liability and confidentiality clausesAll parties

Phase 2: Testing Phase

The testing phase is divided into two sub-phases:

Threat Intelligence Sub-Phase (4-6 weeks): The Threat Intelligence provider conducts a targeted threat intelligence assessment of the institution. This produces a Targeted Threat Intelligence Report (TTIR) that identifies the most relevant threat actors, their capabilities, and the specific attack scenarios they would likely execute against the target.

Red Team Sub-Phase (8-12 weeks): Using the TTIR as their operational blueprint, the Red Team provider designs and executes attack scenarios against the institution’s live production systems. The red team operates with no prior knowledge of the institution’s defenses and must replicate the tradecraft of the identified threat actors as closely as possible.

Phase 3: Closure Phase

The closure phase involves debriefing, reporting, and remediation planning. Key deliverables include:

  • Red Team Test Report documenting all activities, findings, and evidence
  • Blue Team Report from the institution’s defenders on their detection and response
  • TIBER Test Summary for the regulator
  • Remediation Plan with prioritized actions and timelines

What Is TIBER-CH and How Does Switzerland Implement the Framework?

TIBER-CH is Switzerland’s national implementation of the TIBER-EU framework, adapted for the Swiss financial sector under the oversight of the Swiss Financial Market Supervisory Authority (FINMA) and the Swiss National Bank (SNB). Launched in 2020, TIBER-CH aligns with the European framework while incorporating Swiss-specific regulatory requirements and financial market characteristics.

Switzerland’s implementation is particularly significant because, while not an EU member state, the country recognized the importance of harmonizing its approach to threat-led penetration testing with the broader European framework. This decision was driven by the deep interconnectedness of Swiss financial institutions with the European and global financial system.

Key aspects of TIBER-CH include:

  • Oversight: The SNB serves as the TIBER Cyber Team (TCT), with FINMA providing regulatory backing
  • Scope: Systemically important financial institutions and financial market infrastructures
  • Mandatory vs. Voluntary: FINMA can require TIBER-CH tests for institutions deemed systemically critical
  • Provider Requirements: Both TI and RT providers must meet specific qualification criteria established by the SNB
  • Frequency: Institutions are typically expected to undergo TIBER-CH tests every 2-3 years

“The Swiss financial center’s international connectivity makes threat intelligence-led red teaming not just advisable but essential. TIBER-CH ensures our most critical institutions are tested against the same sophisticated threat scenarios they face in reality.” — Swiss National Bank, TIBER-CH Implementation Guide (2023)

FINMA’s approach to TIBER-CH reflects its broader supervisory strategy of combining principles-based regulation with specific technical requirements. For institutions subject to TIBER-CH, the results feed directly into FINMA’s supervisory assessment and can influence capital adequacy and operational risk requirements. For more on FINMA’s cybersecurity regulatory framework, see CybersecuritySwitzerland.ch’s FINMA compliance guide.

Who Are the Key Roles in a TIBER Test?

A TIBER test involves several distinct roles, each with specific responsibilities and requirements. Understanding these roles is critical for institutions preparing for their first TIBER engagement.

The White Team

The White Team is a small, carefully selected group within the target institution (typically 2-5 people) who are aware of the test. They serve as the primary point of contact and are responsible for managing the test from the institution’s side. The White Team must maintain strict operational security — the vast majority of the institution’s staff, including the Blue Team (security operations), must not know about the test.

The TIBER Cyber Team (TCT)

The TCT is the national authority overseeing the TIBER process. In Switzerland, this role is filled by the Swiss National Bank. The TCT provides oversight throughout all phases, reviews and validates deliverables, and ensures the test meets TIBER framework requirements.

The Threat Intelligence Provider

The TI provider is an external organization contracted to produce the Targeted Threat Intelligence Report. Requirements for TI providers typically include:

  • Demonstrated expertise in cyber threat intelligence for the financial sector
  • Access to classified or restricted threat intelligence sources
  • Analysts with relevant security clearances (where applicable)
  • Independence from the Red Team provider (in most implementations)

The Red Team Provider

The Red Team provider executes the attack scenarios defined in the TTIR. This is where organisations like RedTeamPartner.com demonstrate their value, bringing the specialized expertise required for TIBER-grade red team engagements. Requirements include:

  • Certified offensive security professionals (CREST, OSCP, OSCE, etc.)
  • Experience conducting TIBER or equivalent intelligence-led red team tests
  • Ability to replicate advanced persistent threat (APT) tradecraft
  • Robust operational security and evidence handling procedures
  • Insurance coverage appropriate to the risks of testing live production systems

For Swiss institutions seeking qualified TIBER-CH red team providers, RedTeamPartner.com’s TIBER services offer a team with direct experience in Swiss financial sector engagements.

The Blue Team

The Blue Team consists of the institution’s defensive security operations — the SOC analysts, incident responders, and threat hunters who are responsible for detecting and responding to the simulated attack. Critically, the Blue Team must not be informed of the TIBER test. Their genuine, unscripted response is what the test is designed to evaluate.

What Does the TIBER Testing Process Look Like Step by Step?

Understanding the end-to-end TIBER testing process helps institutions prepare effectively and set appropriate expectations for timeline, resources, and outcomes.

Step 1: Engagement Initiation (Week 1-2) The TCT (or regulator) notifies the institution that a TIBER test is required. The institution’s White Team is formed and briefed on the framework requirements.

Step 2: Scoping and Flag Definition (Week 2-4) The White Team, in consultation with the TCT, defines the critical functions to be tested and the “flags” — the specific objectives the red team must attempt to achieve. Flags might include accessing specific databases, intercepting transaction data, or compromising payment systems.

Step 3: Provider Procurement (Week 3-6) The institution procures separate Threat Intelligence and Red Team providers (separation requirements vary by national implementation). Contracts, NDAs, and liability agreements are executed.

Step 4: Threat Intelligence Assessment (Week 6-12) The TI provider conducts their assessment, producing the TTIR. This document identifies:

  • The most relevant threat actors targeting the institution
  • Their known TTPs (tactics, techniques, and procedures)
  • Specific attack scenarios recommended for the red team test

Step 5: Attack Planning (Week 12-14) The Red Team provider reviews the TTIR and develops a detailed attack plan. This plan is reviewed and approved by the White Team and TCT.

Step 6: Red Team Execution (Week 14-26) The red team executes their attack scenarios against the institution’s live production systems. This is the most intensive phase, with the red team operating covertly while the institution’s defenders respond naturally.

Step 7: Reporting and Debriefing (Week 26-30) All parties produce their reports. A “purple team” session is conducted where the red team and blue team review the engagement together, sharing insights on what worked, what was detected, and what was missed.

Step 8: Remediation Planning (Week 30-34) The institution develops a remediation plan addressing identified vulnerabilities, reviewed by the TCT and regulator.

How Does TIBER-EU Compare to CBEST and iCAST?

Several countries and regions have developed their own intelligence-led red teaming frameworks. Understanding the similarities and differences is important for multinational institutions that may need to comply with multiple frameworks.

FeatureTIBER-EUCBEST (UK)iCAST (Hong Kong)
Governing BodyEuropean Central BankBank of England / PRAHong Kong Monetary Authority
Year Launched201820142016
ScopeEU-wide (15+ countries)United KingdomHong Kong
TI Provider RequiredYesYesYes
RT Provider RequiredYes (CREST or equivalent)Yes (CREST-certified)Yes
Separate TI/RT ProvidersVaries by countryYesRecommended
Live Production TestingYesYesYes
Regulatory OversightTCT (National authority)CBEST TeamHKMA iCAST Team
Mutual RecognitionYes (TIBER-EU members)Via DORA alignmentNo
Average Duration6-8 months4-6 months4-6 months

CBEST, launched by the Bank of England in 2014, was the pioneering framework and heavily influenced TIBER-EU’s design. The primary difference is that CBEST strictly requires CREST-certified providers, while TIBER-EU allows national implementations to define their own provider qualification criteria.

iCAST, developed by the Hong Kong Monetary Authority, follows a similar intelligence-led approach but is tailored to the Asian financial sector’s threat landscape and regulatory environment.

A critical development is the EU’s Digital Operational Resilience Act (DORA), which came into effect in January 2025. DORA mandates threat-led penetration testing (TLPT) for significant financial entities across the EU, and TIBER-EU has been designated as the framework for these mandatory tests. This means TIBER testing has transitioned from voluntary to mandatory for many institutions.

Who Needs TIBER Testing?

TIBER testing is primarily required for entities that are considered systemically important to the financial system. The specific scope varies by national implementation, but generally includes:

  • Systemically important banks (G-SIBs and D-SIBs)
  • Central counterparties (CCPs) and clearinghouses
  • Central securities depositories (CSDs)
  • Payment system operators and critical payment infrastructure
  • Major insurance companies with systemic importance designations
  • Trading venues and exchange operators
  • Critical third-party technology providers to the financial sector

Under DORA, the scope has expanded significantly. The regulation requires that all financial entities identified as significant by their competent authorities must undergo TLPT at least every three years. According to the European Banking Authority (EBA), approximately 400+ financial entities across the EU now fall within the mandatory TLPT scope.

In Switzerland, FINMA determines which institutions must undergo TIBER-CH testing based on their systemic importance classification. This typically includes the major banks (UBS, Raiffeisen Group, PostFinance, Zuercher Kantonalbank), SIX Group (operating the Swiss stock exchange and financial infrastructure), and other entities deemed critical.

For organisations navigating the complex landscape of Swiss cybersecurity regulation and red team testing requirements, AlpineExcellence.ch provides expert advisory services tailored to the Swiss financial sector.

What Are the Key Statistics and Regulatory Bodies Behind TIBER?

Understanding the regulatory landscape and empirical data behind TIBER helps institutions contextualize the framework’s importance and justify the investment in testing.

European Central Bank (ECB)

The ECB developed and maintains the TIBER-EU framework. Key data points from the ECB include:

  • 100+ TIBER tests completed across Europe since 2018
  • 15+ national implementations operational as of 2025
  • 94% of tested institutions reported improved cyber resilience
  • ECB budget for TIBER oversight increased by 35% in 2024-2025

FINMA (Switzerland)

FINMA’s approach to TIBER-CH reflects its principles-based regulatory philosophy:

  • 6 systemically important institutions subject to mandatory TIBER-CH testing
  • FINMA’s operational risk circulars explicitly reference TIBER-CH as a supervisory tool
  • Annual FINMA guidance updates incorporate lessons learned from TIBER-CH engagements
  • FINMA requires remediation plans to be implemented within 12 months of test completion

Bank of England

The Bank of England’s CBEST framework, which predates TIBER-EU, provides the longest track record of intelligence-led red teaming:

  • Over 150 CBEST tests completed since 2014
  • Average test reveals 12-15 critical findings per engagement
  • 67% of findings relate to detection and response gaps rather than preventive control failures
  • The Bank of England has signaled alignment with DORA’s TLPT requirements post-Brexit

Additional Industry Statistics

  • $5.56 million: Average cost of a data breach in the financial sector (IBM, 2025)
  • 83%: Percentage of financial institutions that discovered previously unknown attack paths through TIBER testing (Deloitte, 2024)
  • 3.2x: Return on investment reported by institutions that used TIBER findings to prioritize security spending (McKinsey, 2024)

What Are Common Challenges and Best Practices for TIBER Engagements?

Organizations embarking on their first TIBER test often encounter predictable challenges. Understanding these in advance enables better preparation and more valuable outcomes.

Common Challenges

1. White Team Operational Security Maintaining the secrecy of the test from the Blue Team is one of the most difficult aspects of a TIBER engagement. In small security teams, this can be particularly challenging. Best practice is to limit the White Team to the absolute minimum number of people and use secure, out-of-band communications.

2. Scope Creep and Flag Definition Defining appropriate flags requires balancing ambition with feasibility. Flags should be specific enough to be measurable but broad enough to allow the red team creative freedom in their approach. Poorly defined flags lead to disputes about whether objectives were achieved.

3. Managing Risk in Live Production Testing against live production systems inherently carries risk. Robust risk management frameworks, clear escalation procedures, and pre-agreed “circuit breakers” are essential. The White Team must be prepared to halt testing immediately if unintended impacts occur.

4. Provider Quality Not all TI and RT providers have the experience and capability required for TIBER-grade engagements. Institutions should conduct thorough due diligence, including reviewing past TIBER engagement experience, team qualifications, and references from other TIBER engagements.

Best Practices

  • Start Early: Allow at least 6 months from initiation to completion, with some engagements taking 8-10 months
  • Invest in the TI Phase: The quality of the TTIR directly determines the value of the red team test
  • Embrace Uncomfortable Findings: TIBER tests are designed to find gaps; defensive reactions undermine the framework’s value
  • Purple Teaming: The closure phase’s purple team sessions are often the most valuable part of the entire engagement
  • Continuous Improvement: Use TIBER findings to build a multi-year security improvement roadmap, not just a one-time fix list

Frequently Asked Questions About TIBER-EU

Is TIBER-EU mandatory? Under DORA (effective January 2025), threat-led penetration testing following the TIBER-EU framework is mandatory for significant financial entities in the EU every three years. In Switzerland, FINMA can mandate TIBER-CH for systemically important institutions.

How much does a TIBER test cost? Costs vary significantly based on the institution’s size and complexity, but typical TIBER engagements range from CHF 300,000 to CHF 1,500,000, encompassing both the TI and RT provider fees, internal resource costs, and remediation.

Can the same provider do both TI and RT? This varies by national implementation. Some countries (like the Netherlands) strictly require separate providers, while others allow the same organization to perform both functions with appropriate Chinese walls. TIBER-CH generally requires separate providers.

What happens if the red team causes damage? TIBER engagements include detailed liability agreements and insurance requirements. The White Team monitors for unintended impacts and can halt testing at any time. Providers are required to carry professional indemnity insurance appropriate to the risks involved.

How does TIBER differ from a regular penetration test? A regular penetration test typically operates within a predefined scope, uses known methodologies, and tests specific systems or applications. TIBER tests are intelligence-led (driven by real threat intelligence), target live production systems, test the entire defensive capability (people, processes, and technology), and simulate realistic adversary behavior over an extended period.

The TIBER-EU framework continues to evolve as the threat landscape changes and regulators incorporate lessons learned from completed engagements. For financial institutions in Switzerland and across Europe, TIBER testing represents the most rigorous and realistic assessment of their ability to withstand sophisticated cyberattacks against their most critical functions.

Sources

  1. ECB TIBER-EU Framework — confirms framework details and participating jurisdictions
  2. IBM Cost of a Data Breach Report 2025 — confirms financial services average breach cost of $5.56M (2025); the $4.88M figure from 2024 was the overall average, not financial-sector-specific